[go: up one dir, main page]
Skip to content

Feedback issue: Security Analyst Agent (Beta)

Welcome to the Security Analyst Agent Beta! 🔒

The purpose of this feedback issue is to collect your experiences with theSecurity Analyst Agent (Beta), a new AI-powered Security Analyst Agent for GitLab. Our goal is to understand how the Security Analyst Agent is helping (or hindering) your vulnerability management workflows, identify bugs and improvement areas, and prioritize enhancements based on real usage. Your feedback will directly influence how we evolve this agent from Beta to GA.

Limited Beta Availability

  • Only available in SaaS in 18.5
  • Accessible via Duo Chat side panel within projects
  • Requires Ultimate tier with GitLab Duo add-on subscription
What is the Security Analyst Agent?

The Security Analyst Agent is a specialized security analyst agent available in the Duo Chat side panel that acts like a security teammate. It combines security expertise with context-awareness of GitLab security features (vulnerability reports, security dashboards, and compliance tools).

Current Beta capabilities (18.5)

Current Beta capabilities

What the Security Analyst Agent CAN do:

  • List all vulnerabilities in a project with filtering by severity and report types
  • Get detailed vulnerability information including CVE data, EPSS scores, and reachability analysis
  • Confirm vulnerabilities when verified as genuine security issues
  • Dismiss false positives or acceptable risks with proper reasoning
  • Update vulnerability severity levels based on security review
  • Revert vulnerability status back to detected for re-assessment
  • Create GitLab issues automatically linked to vulnerabilities
  • Link existing issues to vulnerabilities for tracking
  • Analyze vulnerability trends and security posture
  • Provide remediation guidance and security recommendations

⚠️ Beta Limitations:

  • Limited to Ultimate tier with Duo add-on subscription
  • May not understand all custom security workflows or policies
  • Cannot directly modify code or apply security patches
  • May not have access to all external security tools integrations
  • Cannot perform automated penetration testing or active scanning
Planned GA features
  • Self-Managed and Dedicated platform support
  • Enhanced integration with external security tools
  • Advanced compliance reporting capabilities
  • Automated remediation workflows
  • Cross-project security analysis
  • Integration with security boards and dashboards

🎯 Feedback we're especially interested in

  1. Accuracy: Does the Security Analyst Agent correctly identify and assess vulnerabilities?
  2. Usefulness: Which security responses save you time vs. create more work?
  3. Risk Assessment: Are severity evaluations and EPSS score interpretations helpful and accurate?
  4. Tone: Is the security expertise voice appropriate for your team?
  5. Missing capabilities: What security tasks can't you accomplish?
  6. False Positives: How well does the agent distinguish genuine threats from benign findings?

📝 How to give feedback

  1. Check existing feedback: Review threads below to see if your issue is already reported. Add a 👍 or comment to show support.
  2. Start a new thread: Use a descriptive title like "Incorrect EPSS score interpretation" or "Missing container vulnerability context"
  3. Include context:
    • Your prompt to the Security Analyst Agent
    • The response you received
    • What you expected vs. what happened
    • URLs or screenshots (sanitized as needed)
    • Vulnerability IDs or security scan types involved
  4. Rate the response: On a scale of 1-5, how useful was it?
Example feedback format
  • Title: Incorrect severity assessment for SQL injection vulnerability
  • Prompt: "Analyze the severity of vulnerability ID 12345 and recommend next steps"
  • Context: [Link to vulnerability or description]
  • What happened: Security Analyst Agent recommended dismissing a critical SQL injection as low severity
  • Expected: Should recognize SQL injection patterns and assess appropriate severity
  • Usefulness: 1/5 - Could have led to security incident if followed
  • Screenshots: [If applicable]

🤝 What you can expect from us

  1. We will read all feedback during the Beta period
  2. We will prioritize fixes for GA based on feedback patterns
  3. We will create issues for reproducible problems with severity/priority labels
  4. We may reach out for clarification on complex security issues

🐛 Known Beta Issues

  • Security Analyst Agent may occasionally reference capabilities it doesn't have (e.g., "I'll patch this vulnerability")
  • May not recognize all custom security labels or compliance frameworks
  • Complete list of known Security Analyst Agent bugs here

🛡️ 🔒 🔑 Thank you for helping us make the Security Analyst Agent an indispensable part of your security workflow! Your feedback during this Beta period is crucial for delivering a GA release that truly acts like a security teammate. 🕵️ 🔍 🔐

Edited by Nate Rosandich